A safety researcher named 0xflorent labored with the workforce behind Ethereum in 2016 ($ETH) ICO deal unlocks almost $2 million in Ether that was locked away for 9 years in a coordinated white-hat restoration that exploited an integer overflow flaw that was not patched by the unique developer.
This contract belongs to HongCoin, which was purported to mechanically refund Ethereum to buyers after failing to fulfill its fundraising purpose throughout a token sale in 2016, however a bug within the refund perform prevented the refund from occurring.
Path 0xflorent unfrozen 1,003.62 $ETH48 unique buyers are presently eligible to assert. Two individuals did this and obtained a complete of 96.5. $ETH It's price about $193,000, he stated on Sunday's X Thread.
First White Hat Exploit on Ethereum: 1,003.62 unlocked
Ξ ($2,000,000) Trapped in an ICO Sensible Contract in 2016
9 years.The unique 48 buyers can now declare their funds. pic.twitter.com/lyh5iyaDu7
— 0xflorent.eth (@0xFlorent_) Might 31, 2026
The contract's refund logic meant that holders whose token stability exceeded a worldwide counter of 356 after years of partial refunds had been rejected, with a cap on additional refunds of three.56. $ETH.
0xflorent found that HongCoin's multisig wallet-limited on-contract administration performance lacked integer overflow safety that was later integrated into the Solidity programming language. When known as with particular enter values, the holder's stability can be reset to 1, the refund examine will cross, and the funds can be launched.
Nonetheless, this restoration was not a one-sided exploitation. Since HongCoin multisig was required to carry out administrative features, 0xflorent despatched an e mail to the workforce to confirm the unlock sequence on a check fork of Ethereum's mainnet, and the workforce itself signed the unlock transaction.
We signed 41 transactions, one for every blocked proprietor, and launched roughly 1,000 transactions. $ETH It was actually caught. One other seven holders had balances sufficiently small to be refunded immediately with none workarounds.
That is the second time up to now eight days that 0xflorent has introduced such a restoration.
On Might 24, he stated he returned $19.329. $ETHprice roughly $40,590 to the unique proprietor, together with $5,141 $ETH From the failed January 2018 ICO and 14.190 $ETH It arose from seven expired atomic swaps inside Liquality pockets person accounts that grew to become inaccessible after the pockets closure in 2024.
This restoration has landed throughout a time of large DeFi exploits, with lots of of hundreds of thousands of {dollars} leaked throughout protocols in April alone, led by a roughly $293 million hit to the Kelp DAO.
